CVE-2026-49977
tarteaucitron.js: data-cookie attribute can be used to delete arbitrary cookies
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.33.0, tarteaucitron.cookie.purge() is called on any element with the purgeBtn class and does not check whether the element is a legitimate tarteaucitron button or whether the cookie corresponds to a service handled by tarteaucitron. If an attacker can write HTML with data attributes, an element with data-cookie can silently delete a non-HttpOnly cookie with a known name when clicked by a user. This issue is fixed in version 1.33.0.
| CWE | CWE-285 |
| Vendor | amauric |
| Product | tarteaucitron.js |
| Published | Jul 17, 2026 |
| Last Updated | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for amauric tarteaucitron.js
Be the first to know when new medium vulnerabilities affecting amauric tarteaucitron.js are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
AmauriC / tarteaucitron.js
< 1.33.0
References
github.com: https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-jxj7-g6gm-49j7 github.com: https://github.com/AmauriC/tarteaucitron.js/commit/24b5464400ae2ff1ad96a092c629b9d632b9cc93 github.com: https://github.com/AmauriC/tarteaucitron.js/releases/tag/v1.33.0 drupal.org: https://www.drupal.org/sa-contrib-2026-040